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DETAILED ACTION 

1 . This is in response to the amendment filed on 29 August 2005. 

2. Claims 1-7, 9-1 1, 13-23 and 25-28 are pending in the application. 

3. Claims 1-7, 9-11, 13-23 and 25-28 have been rejected. 

4. Claims 8, 12 and 24 have been cancelled. 

Response to Arguments 

5. Applicant's arguments with respect to claims 1-7, 9-11, 13-23 and 25-28 have been 
considered but are moot in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 102 
The following is a quotation of the appropriate paragraphs of 35 U.S. C. 102 that form the 
basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 

6. Claims 1-7, 17-23 and 25-28 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Exton et al U.S. Patent No. 6,910,041 B2. 

As to claim 1, Exton et al discloses a method of comparing access control lists to 
configure a security policy on a network, the method comprising the computer-implemented 
steps of: 

identifying first sub-entries in a first access control list [column 4 line 53 
to column 5 line 3]; 
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identifying second sub-entries in a second access control list [column 5, 
lines 4-24]; 

programmatically determining whether a first access control list is 
functionally equivalent to a second access control list in order to configure the 
security policy on the network by determining whether each first sub-entry in the 
first access control list is equivalent to at least one of the second subentries 
[column 6, lines 16-60]; and 

determining that the first access control list is functionally equivalent to 
the second access control list only when each of the first sub-entries is equivalent 
to at least one of the second sub-entries [column 6, lines 16-60]. 
As to claims 2, 18 and 28, Exton et al discloses that programmatically determining 
whether a first access control list is equivalent to a second access control list includes: 

identifying a dimensional range for each policy action specified in the first 
access control list, the dimensional range of each policy action characterizing 
communication packets specified by entries in the first access control list for that 
policy action [column 6, lines 16-60]; 

identifying a dimensional range for each policy action specified in the 
second access control list, the dimensional range of each policy action 
characterizing communication packets specified by entries in the second access 
control list for that policy action [column 6, lines 16-60]; and 

determining whether the dimensional range identified for each policy 
action in the first access control list is equivalent to the dimensional range 
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identified for each policy action in the second access control list [column 6, lines 
16-60]. 

As to claims 3 and 19,Exton et al discloses that identifying a dimensional range for each 
policy action specified in the first access control list and in the second access control list includes 
identifying a source address range and a destination address range for communication packets 
specified by each of the entries in the first access control list and in the second access control list 
[column 5, lines 26-38]. 

As to claims 4 and 20,Exton et al discloses that identifying a dimensional range for each 
policy action specified in the first access control list and in the second access control list includes 
identifying a source port range and a destination port range for communication packets specified 
by each of the entries in the first access control list and in the second access control list [column 
6, lines 16-60]. 

As to claims 5 and 21,Exton et al discloses that identifying a dimensional range for each 
policy action specified in the first access control list and in the second access control list includes 
identifying a communication protocol for communication packets specified by each of the entries 
in the first access control list and in the second access control list [column 6, lines 4-31]. 

As to claims 6 and 22, Exton et al discloses that the first access control list and the 
second access control list each specify a plurality of entries, and each entry identifies a 
dimensional range for a policy action, the dimensional range characterizing communication 
packets that are to be affected by the policy action, and wherein programmatically determining 
whether a first access control list is equivalent to the second access control list includes: 
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determining whether each entry in the first access control list has a 
dimensional range that is either equivalent to or contained by the dimensional 
range of entries in the second access control list that specify the policy action of 
the entry in the first access control list [column 6, lines 16-60]. 
As to claims 7 and 23,Exton et al discloses that the first access control list and the second 
access control list each specify a plurality of entries, and each entry identifies a dimensional 
range for a policy action, the dimensional range characterizing communication packets that are to 
be affected by the policy action, and wherein programmatically determining whether a first 
access control list is equivalent to the second access control list includes: 

determining whether each entry in the first access control list has a 
dimensional range that is either equivalent to or contained by the dimensional 
range of entries in the second access control list that specify the policy action of 
the, entry in the first access control list [column 6, lines 4-31]; and 

determining whether each entry in the second access control list has a 
dimensional range that is either equivalent to or contained by the dimensional 
range of entries in the first access control list that specify the same policy action 
[column 6, lines 4-31]. 
As to claim 17, Exton et al discloses a computer readable medium for comparing access 
control lists to configure a security policy on a network, the computer readable medium carrying 
instructions for performing the steps of: 

identifying first sub-entries in a first access control list [column 4 line 53 
to column 5 line 3]; 
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identifying second sub-entries in a second access control list [column 5, 
lines 4-24]; 

programmatically determining whether a first access control list is 
functionally equivalent to a second access control list in order to configure the 
security policy on the network by determining whether each first sub-entry is 
equivalent to at least one of the second sub-entries [column 6, lines 16-60]; and 

determining that the first access control list is functionally equivalent to 
the second access control list only when each of the first sub-entries is equivalent 
to at least one_of the second sub-entries [column 6, lines 16-60]. 
As to claim 25, Exton et al discloses a computer system for comparing access control lists 
to configure a security policy on a network, the computer system comprising: 

means for identifying first sub-entries in a first access control list [column 
4 line 53 to column 5 line 3]; 

means for identifying second sub-entries in a second access control list 
[column 5, lines 4-24]; 

means for programmatically determining whether a first access control list 
is functionally equivalent to a second access control list in order to configure the 
security policy on the network by determining whether each first sub-entry is 
equivalent to at least one of the second sub-entries [column 6, lines 16-60]; and 

means for determining that the first access control list is functionally 
equivalent to the second access control list only when each of the first sub-entries 
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is equivalent to one of more at least one of the second sub-entries [column 6, lines 
16-60]. 

As to claim 26, Exton et al discloses a policy server communicatively coupled to security 
devices in a network to configure a security policy on a network, the policy server comprising: 
a processor [column 3, lines 41-67]; 

a network interface that communicatively couples the processor to the 
network to receive flows of packets therefrom [column 3, lines 41-67]; 
a memory [column 3, lines 41-67]; and 

sequences of instructions in the memory which, when executed by the 
processor, cause the processor to carry out the steps of: 

identifying first sub-entries in a first access control list [column 4 line 53 
to column 5 line 3]; 

identifying second sub-entries in a second access control list [column 5, 
lines 4-24]; 

programmatically determining whether a first access control list is 
functionally equivalent to a second access control list in order to configure the 
security policy on the network by determining whether each first sub-entry is 
equivalent at least one of the second sub-entries [column 6, lines 16-60]; and 

determining that the first access control is functionally equivalent to the 
second access control list only when each of the first sub-entries is equivalent to 
at least one of the second sub-entries [column 6, lines 16-60]. 
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As to claim 27, Exton et al discloses the policy server further comprising a memory to 
store a plurality of access control lists, including the first access control list and the second 
access control list, and wherein the processor is configured to configure each security device on 
the network with at least one of the plurality of access control lists [column 4, lines 41-62]. 
7. Claims 9-11 and 13-16 are rejected under 35 U.S.C 102(e) as being anticipated by Bell 
et al U.S. Patent No. 6,880,005 Bl. 

As to claim 9, Bell et al discloses a method of comparing access control lists to configure 
a security policy on a network, the method comprising: 

identifying a dimensional range and a policy action for each entry in a first 
access control list [column 5 line 63 to column 8 line 30]; 

identifying all overlapping dimensional ranges in the first access control 
list, each overlapping dimensional range corresponding to where the dimensional 
ranges of entries in the first access control list overlap [column 5 line 63 to 
column 8 line 30]; 

identifying all non-overlapping dimensional ranges in the first access 
control list, each of the non-overlapping dimensional ranges corresponding to 
dimensional ranges of entries in the first access control list that do not overlap 
dimensional ranges of other entries in the first access control list [column 5 line 
63 to column 8 line 30]; 

identifying a policy action for each identified overlapping dimensional 
range of the first access control list [column 5 line 63 to column 8 line 30]; 
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identifying a policy action for each identified non-overlapping 
dimensional range of the first access control list [column 5 line 63 to column 8 
line 30]; and 

determining whether each identified overlapping and non-overlapping 
dimensional range identified from the first access control list is contained by or 
equal to a dimensional range of entries in a second access control list in which the 
entries of the second access control list have the policy action of that identified 
overlapping or non-overlapping dimensional range [column 5 line 63 to column 8 
line 30]; 

wherein identifying a policy action for each identified overlapping 
dimensional range of the first access control list includes using a conflict 
rule to determine the policy action from a first policy action of a first entry 
having a dimensional range within the overlapping dimensional rangy, and 
from a second policy action of a second entry having a dimensional range 
within the overlapping dimensional range, wherein the second policy 
conflicts with the first policy [column 5 line 63 to column 8 line 30]. 
As to claims 10 and 1 1, Bell et al discloses a method further comprising: 

identifying a dimensional range and a policy action for each entry in the 

second access control [column 5 line 63 to column 8 line 30]; 

identifying all overlapping dimensional ranges in the second access 

control list, each overlapping dimensional range corresponding to where the 
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dimensional ranges of entries in the second access control list overlap [column 5 
line 63 to column 8 line 30]; 

identifying all non-overlapping dimensional ranges in the second access 
control list, each of the non-overlapping dimensional ranges corresponding to 
dimensional ranges of entries in the second access control list that do not 
overlap dimensional ranges of other entries in the second access control list 
[column 5 line 63 to column 8 line 30]; 

identifying a policy action for each identified overlapping dimensional 
range in the second access control list [column 5 line 63 to column 8 line 30]; 

identifying a policy action for each identified non-overlapping 
dimensional range of the second access control list [column 5 line 63 to column 8 
line 30]; and 

determining whether each identified overlapping and non-overlapping 
dimensional range identified from the second access control list is contained by or 
equal to a dimensional range of one of-mere entries in the first access control list 
in which the entries of the first access control list have the policy action of that 
identified overlapping or non-overlapping dimensional range [column 5 line 63 to 
column 8 line 30]. 

As to claim 13, Bell et al discloses that using a conflict rule to determine the policy action 
comprises selecting one of the first policy or the second policy based on the selected first or 
second policy being newer [column 4, lines 9-35]. 



Application/Control Number: 10/044,019 Page 1 1 

Art Unit: 2131 

As to claim 14, Bell et al discloses that identifying a dimensional range and a policy 
action for each entry in the first access control list includes identifying a source address range 
and a destination address range for communication packets specified by each of the entries in the 
first access control list [column 3, lines 18-36]. 

As to claim 15, Bell et al discloses that identifying a dimensional range and a policy 
action for each entry in the first access control list includes identifying a source port range and a 
destination port range for communication packets specified by each of the entries in the first 
access control list [column 3, lines 18-36]. 

As to claim 16, Bell et al discloses that identifying a dimensional range and a policy 
action for each entry in the first access control list includes identifying a communication protocol 
for communication packets specified by each of the entries in the first access control list [column 
5 line 63 to column 8 line 30]. 

Conclusion 

8. Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
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however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Aravind K. Moorthy whose telephone number is 571-272-3793. 
The examiner can normally be reached on Monday-Friday, 8:00-5:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R. Sheikh can be reached on 571-272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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